What is netbios? NetBIOS is a service that provides network connectivity and is often used to join a domain and legacy applications. This is a rather old technology, but it is still used in some software environments. And since this is an unprotected protocol, quite often it can be the starting point for an attack on a network. A good start would be to scan NetBIOS shares using the NBTScan and Nmap Script Engine.
To accomplish this task, we will use our target machine as Metasploitable 2– a virtual machine with vulnerabilities intentionally created in it. We will attack it with Kali Linux, a distribution for hackers and pentesters.
What is netbios?
NetBIOS literally means “Basic Network Input / Output System”. It is a service that allows computers to communicate with each other over a network. However, NetBIOS is not a network protocol, but an API. It works on top of TCP / IP protocols using the NBT protocol, which allows it to work in modern networks.
NetBIOS provides two basic methods of communication. The datagram service allows you to communicate over a network without establishing a connection, which is ideal for situations where fast data transfer is important, for example, when generating errors. Session service, on the other hand, allows two computers to establish a connection to provide more reliable communication. NetBIOS also provides name services that deal with name resolution and network registration.
The main method of exploiting NetBIOS hackers is poisoning attacks. Their essence lies in the fact that the attacker being in the network, disguised as another machine in order to control and redirect traffic. At this stage, the hacker can also obtain the hashed user credentials in order to subsequently crack them.
How to use nbtscan
NBTScan is a command line tool used to scan networks for NetBIOS shared resources and name information. It can work in both Unix and Windows and is included in the standard Kali Linux distribution by default.
The first thing we can do is print out a certificate that will give us an idea of all the uses for it and a few examples for scanning networks. Just type in the terminal nbtscan.
NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko. This is a free software and it comes with absolutely no warranty. You can use, distribute and modify it under terms of GNU GPL. Usage: nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|() -v verbose output. Print all names received from each host -d dump packets. Print whole packet contents. -e Format output in /etc/hosts format. -l Format output in lmhosts format. Cannot be used with -v, -s or -h options. -t timeout wait timeout milliseconds for response. Default 1000. -b bandwidth Output throttling. Slow down output so that it uses no more that bandwidth bps. Useful on slow links, so that ougoing queries don't get dropped. -r use local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option on Unix. -q Suppress banners and error messages, -s separator Script-friendly output. Don't print column and record headers, separate fields with separator. -h Print human-readable names for services. Can only be used with -v option. -m retransmits Number of retransmits. Default 0. -f filename Take IP addresses to scan from file filename. -f - makes nbtscan take IP addresses from stdin. what to scan. Can either be single IP like 192.168.1.1 or range of addresses in one of two forms: xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx. Examples: nbtscan -r 192.168.1.0/24 Scans the whole C-class network. nbtscan 192.168.1.25-137 Scans a range from 192.168.1.25 to 192.168.1.137 nbtscan -v -s : 192.168.1.0/24 Scans C-class network. Prints results in script-friendly format using colon as field separator. Produces output like that: 192.168.0.1:NT_SERVER:00U 192.168.0.1:MY_DOMAIN:00G 192.168.0.1:ADMINISTRATOR:03U 192.168.0.2:OTHER_BOX:00U ... nbtscan -f iplist Scans IP addresses specified in file iplist.
The simplest (and most basic) way to launch this great tool is to give it a range of IP addresses. In our case, there is only one computer on the network, so we will give its IP address as an example.
IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 172.16.1.102 METASPLOITABLE METASPLOITABLE 00:00:00:00:00:00
Here we see the IP address, the display name of the NetBIOS, the server (if any), the user and the MAC address of the target. Note that machines running Samba sometimes return zero as a MAC address in response to such a request.
We can get a little more information if we set the verbose -v flag.
nbtscan 172.16.1.102 -v
Doing NBT name scan for addresses from 172.16.1.102 NetBIOS Name Table for Host 172.16.1.102: Incomplete packet, 335 bytes long. Name Service Type ---------------------------------------- METASPLOITABLE <00> UNIQUE METASPLOITABLE <03> UNIQUE METASPLOITABLE <20> UNIQUE METASPLOITABLE <00> UNIQUE METASPLOITABLE <03> UNIQUE METASPLOITABLE <20> UNIQUE __MSBROWSE__ <01> GROUP WORKGROUP <00> GROUP WORKGROUP <1d> UNIQUE WORKGROUP <1e> GROUP WORKGROUP <00> GROUP WORKGROUP <1d> UNIQUE WORKGROUP <1e> GROUP Adapter address: 00:00:00:00:00:00 ----------------------------------------
In this case, we see some services and an indication of their type. This jumble brings us to the next use case, which will output services in a readable form. To do this, use the -h flag with the -v flag.
nbtscan 172.16.1.102 -vh
Doing NBT name scan for addresses from 172.16.1.102 NetBIOS Name Table for Host 172.16.1.102: Incomplete packet, 335 bytes long. Name Service Type ---------------------------------------- METASPLOITABLE Workstation Service METASPLOITABLE Messenger Service METASPLOITABLE File Server Service METASPLOITABLE Workstation Service METASPLOITABLE Messenger Service METASPLOITABLE File Server Service __MSBROWSE__ Master Browser WORKGROUP Domain Name WORKGROUP Master Browser WORKGROUP Browser Service Elections WORKGROUP Domain Name WORKGROUP Master Browser WORKGROUP Browser Service Elections Adapter address: 00:00:00:00:00:00 ----------------------------------------
Now we see a bit more information that may be useful to us. We can also set the -d flag to dump (save) the contents of the entire package.
nbtscan 172.16.1.102 -d
Doing NBT name scan for addresses from 172.16.1.102 Packet dump for Host 172.16.1.102: Incomplete packet, 335 bytes long. Transaction ID: 0x00a0 (160) Flags: 0x8400 (33792) Question count: 0x0000 (0) Answer count: 0x0001 (1) Name service count: 0x0000 (0) Additional record count: 0x0000 (0) Question name: CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Question type: 0x0021 (33) Question class: 0x0001 (1) Time to live: 0x00000000 (0) Rdata length: 0x0119 (281) Number of names: 0x0d (13) Names received: METASPLOITABLE Service: 0x00 Flags: 0x0004 METASPLOITABLE Service: 0x03 Flags: 0x0004 METASPLOITABLE Service: 0x20 Flags: 0x0004 METASPLOITABLE Service: 0x00 Flags: 0x0004 METASPLOITABLE Service: 0x03 Flags: 0x0004 METASPLOITABLE Service: 0x20 Flags: 0x0004 __MSBROWSE__ Service: 0x01 Flags: 0x0084 WORKGROUP Service: 0x00 Flags: 0x0084 WORKGROUP Service: 0x1d Flags: 0x0004 WORKGROUP Service: 0x1e Flags: 0x0084 WORKGROUP Service: 0x00 Flags: 0x0084 WORKGROUP Service: 0x1d Flags: 0x0004 WORKGROUP Service: 0x1e Flags: 0x0084 ...
This command gives us the packet data that was used in this request. Note that this parameter cannot be used with the -v or -h options.
If you want to scan a list of IP addresses that are written in a file, you can use the -f flag to specify such a file as input and read these IP addresses from it. In our case, there is only one computer on the network, so in the course of our scanning, we only see it alone.
nbtscan -f addresses.txt
Doing NBT name scan for addresses from addresses.txt IP address NetBIOS Name Server User MAC address ------------------------------------------------------------------------------ 172.16.1.102 METASPLOITABLE METASPLOITABLE 00:00:00:00:00:00
Conversely, if you want to save the results of any scan, you just need to add the name of the file to which you want to write this data to the end of the command.
nbtscan 172.16.1.102 > scan.txt
Scan Using Nmap Scripting Engine
Nmap, as part of the Nmap scripting engine, has one very handy little script that we can also use to accurately detect NetBIOS shared resources. This method has a slight advantage over the previous one – it can be run with other NSE scripts (Nmap Scripting Engine), which ultimately saves time when displaying many different things on the network.
We will run Nmap in the usual way, and the nbstat script will exit at the end. Here we use the -sV option to check ports, running services and their versions, as well as the -v flag for verbose output. Specify the script that you want to use, and we are ready to go.
nmap -sV 172.16.1.102 --script nbstat.nse -v
Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-14 14:12 CST NSE: Loaded 44 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 14:12 Completed NSE at 14:12, 0.00s elapsed Initiating NSE at 14:12 Completed NSE at 14:12, 0.00s elapsed Initiating ARP Ping Scan at 14:12 Scanning 172.16.1.102 [1 port] Completed ARP Ping Scan at 14:12, 0.05s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 14:12 Completed Parallel DNS resolution of 1 host. at 14:12, 13.00s elapsed Initiating SYN Stealth Scan at 14:12 Scanning 172.16.1.102 [1000 ports] ... Host script results: | nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: , NetBIOS MAC: (unknown) | Names: | METASPLOITABLE<00> Flags: | METASPLOITABLE<03> Flags: | METASPLOITABLE<20> Flags: | \x01\x02__MSBROWSE__\x02<01> Flags: | WORKGROUP<00> Flags: | WORKGROUP<1d> Flags: |_ WORKGROUP<1e> Flags:
Nmap starts and starts the usual scan, and then towards the end we finally see the results of the script. This is similar to the scan results that we performed earlier, but in fact it never hurts to know that there are different ways to perform the same task.
How to prevent scanning of shared NetBIOS resources
Fortunately for all administrators, there is a fairly simple solution to protect against unauthorized scanning of NetBIOS shared resources, namely, simply disabling NetBIOS itself. There are situations when disabling it can lead to malfunctions in the system, for example, when some obsolete applications completely depend on it, but in most cases, instead of these obsolete applications, there are already more advanced solutions and disabling NetBIOS will not harm. If you absolutely need to have NetBIOS, then beware of using default names. In some versions of Windows, C $ or ADMIN $ are well-known names and should be avoided if possible.
Conclusion In this lesson we learned about the NetBIOS service and how it can be used to attack. Using NBTScan, a simple console tool, we scanned and listed shared resources, and then figured out how to use the Nmap script for the same purpose. NetBIOS and obsolete technology maybe, but it is still found in corporate environments. And often, after exploration, its operation can be a good starting point for a start, so it’s helpful to know how it can be identified.